With the two, rules the client is re directed to the nonpayment portal when using mozilla, internet explorer with no hitch but come to chrome, Youtube works non stop + gmail. You will only hit the nonpayment page if you open bbc.com

When i add the third rule as below

2 ;;; cut all other traffic like Peer to peer connections (redirect them to router itself) chain=dstnat action=redirect protocol=!tcp src-address-list=SpLBL_blocked

Yes Blocked client get no internet but never redirects to the non payment portal!! This rule keeps populating the packets drops

So the client is not aware whether it is a billing or just an internet outage without notice!!

Because, before the http traffic takes place, there is a DNS request (which mission is to get the ip address of the website the user is trying to visit). So, considering DNS is a UDP protocol, the !tcp rule is blocking it, so the web browser never gets the IP address it needs, and it just time out... Solution: allows the DNS request as your first rule.